Melcoz
Melcoz is a Brazilian banking trojan associated with the "Tetrade" cluster identified by Kaspersky, alongside Grandoreiro, Guildma, and Ousaban/Javali. The malware targets Windows systems and is focused on online banking fraud. Reported capabilities include monitoring clipboard contents, stealing credentials from web browsers, monitoring the victim's browser for online banking sessions, and displaying an overlay window to manipulate banking sessions in the background. Observed execution and delivery methods include malicious links embedded in emails, MSI files with embedded VBScript, VBS scripts used to execute malicious DLLs, and distribution via an AutoIt loader script. Melcoz samples have also been packed with VMProtect and Themida to hinder analysis and evade detection.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
13 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Multiple actors and malware families are described as sending spearphishing/phishing emails containing malicious links (including shortened URLs, cloud-hosted links, and links to archives or documents) to deliver malware, harvest credentials, or redirect victims to malicious content.
Execution
5 techniques
Execution
The content repeatedly describes threat actors and malware using VBScript, VBS, VBA macros, and Visual Basic code for execution, payload delivery, persistence, reconnaissance, and command execution.
APT39 has utilized AutoIt and custom scripts to perform internal reconnaissance. Melcoz has been distributed through an AutoIt loader script.
"AppleJeus ... has also used DLL search order hijacking via the IKEEXT service, running with LocalSystem privileges, to load the TAXHAUL DLL for persistence." / "APT41 ... has used search order hijacking to execute malicious payloads" / "Cinnamon Tempest has used search order hijacking to launch Cobalt Strike Beacons."
Stealth
3 techniques
Stealth
"Sandworm Team used UPX to pack a copy of Mimikatz"; "APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium"; "Lazarus Group packed malicious .db files with Themida to evade detection."
“AppleJeus delivered components using a Windows Installer package (.msi)… executed the 3CXDesktopApp.exe…”, “APT38 has used msiexec.exe to execute malicious files.”, “Rancor has used msiexec to download and execute malicious installer files over HTTP.”, “TA505 has used msiexec to download and execute malicious Windows Installer files.”
"AppleJeus ... has also used DLL search order hijacking via the IKEEXT service, running with LocalSystem privileges, to load the TAXHAUL DLL for persistence." / "APT41 ... has used search order hijacking to execute malicious payloads" / "Cinnamon Tempest has used search order hijacking to launch Cobalt Strike Beacons."
Credential Access
1 technique
Credential Access
Collection
2 techniques
Collection
Agent Tesla can steal data from the victim’s clipboard. APT38 used a Trojan called KEYLIME to collect data from the clipboard. APT39 has used tools capable of stealing contents of the clipboard.
Cobalt Strike can perform browser pivoting and inject into a user's browser to inherit cookies, authenticated HTTP sessions, and client SSL certificates. Dridex can perform browser attacks via web injects to steal information such as credentials, certificates, and cookies. Grandoreiro can monitor browser activity for online banking actions and display full-screen overlay images to block user access to the intended site or present additional data fields. IcedID has used web injection attacks to redirect victims to spoofed sites designed to harvest banking and other credentials. Melcoz can monitor the victim's browser for online banking sessions and display an overlay window to manipulate the session in the background. QakBot can use advanced web injects to steal web banking credentials. TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page. Ursnif has injected HTML codes into banking sites to steal sensitive online banking information.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Brazilian banking trojan mentioned as a peer family within the same Tetrade grouping as Ousaban.
Malware that uses VBS scripts to execute malicious DLLs.
Malware capable of stealing credentials from web browsers.
Banking trojan that monitors browser activity during online banking sessions and uses overlay windows to manipulate the session.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.